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System for providing encrypted data, system for decrypting 
encrypted data and method for providing a communication in- 
terface in such a decrypting system. 

The invention generally relates to a system for 
providing encrypted data to be used in a content player, to a 
system for decrypting encrypted data in a content player, and 
to a method for providing a communication interface between a 
5 decryption device and a secure device in a content player. 

More particularly the invention relates to such systems and a 
method to create an open access interface for a wide range of 
multimedia terminals. 

In the present specification the term "content 
10 player" is meant to indicate any type of consumer equipment, 
such as a (digital) TV set, a set top box, a DVD player or a 
(digital) VCR. In order to allow access to contents, such as 
a movie, football match, etc., it is known to protect the 
contents by encryption of the data using a suitable encrypti- 
15 on algorithm. Subscribers are provided with a set top box for 
example and a secure device, wherein the secure device gene- 
rates information necessary to decrypt the encrypted data. 
Conventional systems of this type are provided with a fixed 
interface and protocols for communication between the secure 
20 device and the content player. A fixed interface shows the 
disadvantage that the content player can only be used with 
one or more specific secure devices. 

The invention aims to provide systems and a method 
of the above-mentioned type allowing to create a variable in- 
25 terface between the secure device and a content player. 

According to a first aspect of the invention, a 
system for providing encrypted data to be used in the content 
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player is provided, comprising an encryption device for en- 
crypting data using an encryption algorithm, a protection de- 
vice for providing secure device data, and for providing in- 
formation on a protocol for communication between the content 
5 player and a secure device, and a control device for provi- 
ding a protected contents containing the encrypted data, the 
secure device data, said protocol information and attribute 
data on the different parts inside the protected contents. 

According to a 3econd aspect of the invention, a 
10 system for decrypting encrypted data in a content player is 
provided, comprising an input for receiving a protected con- 
tents containing the encrypted data, secure device data, in- 
formation on a protocol for communication between the content 
player and a secure device, and attribute data on the diffe- 
15 rent parts inside the protected contents, a decryption device 
and a control device, wherein the control device is program- 
med to use said protocol information to establish a communi- 
cation interface between the decryption device and a secure 
device used with the contents player, wherein the decryption 
20 device is adapted to communicate with the secure device as 

controlled by the protocol information to obtain information 
required to decrypt the encrypted data. 

According to a further aspect of the invention, a 
method for providing a communication interface between a de- 
25 cryption device in a content player and a secure device is 
provided, comprising receiving a protected contents contai- 
ning information on a protocol for communication between the 
content player and a secure device, and attribute data on the 
different parts inside the protected contents, retrieving 
30 said protocol information from the protected contents to es- 
tablish a communication interface between the decryption de- 
vice and a secure device used with the contents player. 
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According to a still further aspect of the inven- 
tion a method for transmitting or the like of encrypted data 
is provided, wherein the encrypted data is obtained by means 
of the system for providing encrypted data according to the 
5 invention. 

In this manner the invention provides a variable 
interface platform, wherein any communication interface bet- 
ween a secure device and content player can be established. 
The invention allows content protection technology to be 

10 adapted and to maintain interoperability with existing tech- 
nology used in present consumer equipment* In this manner 
backwards compatibility in content protection systems and se- 
cure device interfaces is obtained. 

The invention will be further explained by referen- 

15 ce to the drawings in which an embodiment of the systems of 
the invention applying the method of the invention are shown 
in a schematical manner. 

Fig. 1 shows an in-home distribution network inter- 
connecting a number of consumer content players • 

20 Fig. 2 shows a diagram of the architecture of an 

embodiment of the system for providing encrypted data to be 
used in a content player according to the invention - 

Fig. 3 shows a diagram of the architecture of an 
embodiment of the system for decrypting encrypted data in a 

25 content player according to the invention* 

By way of example fig. 1 shows an in-home distribu 
tion netwerk 1 interconnecting a plurality of content player 
devices such as a TV set 2, a DVD player 3, a DVCR 4 and a PC 
5. Further a camcorder 6, a set top box (STB) 7 and a secure 

30 device 8, such as for example a smart card, are connected to 
the network 1. Finally the network is linked to a wide area 
network, such as the internet r as indicated by reference nu- 



meral 9. In this example of an in-home distribution network 
1, the STB 7 and the secure device 8 communicate through a 
communication interface in order to decrypt any encrypted da- 
ta obtained from protected contents as will be described la- 
5 ter* The STB 7 and secure device 8 are common to the content 
players 2-5 in this example, although it is also possible 
that each of the content players is provided with its own de- 
coder/decryption device communicating with its own secure de- 
vice. It is noted that protected contents can be moved 
10 through the network 1 to a target content player using a sui- 
table protocol and adressing technique which are not part of 
the present invention. 

Fig, 2 shows a system for providing encrypted data 
to be used in a content player, comprising an encryption de- 
15 vice 10, a protection device 11 and a control device 12 in- 
cluding a multiplexer 13. Clear contents, such as a movie, a 
football match, etc., is encrypted in the encryption device 
10 using a suitable encryption algorithm. In the encryption 
algorithm keys are used which are provided by the protection 
20 device 11 and these keys are themselves encrypted in one or 
more formats by the protection device 11. The encrypted keys 
are provided as secure device data. The protection device 11 
further provides information on a protocol for communication 
between the content player and the secure device 8 . In the 
25 embodiment shown, the information on the protocol and encryp- 
tion format (s) is provided as one or more secure device ap- 
plets . 

The encrypted contents provided by the encryption 
device, the secure device applet (s) and the secure device da- 
30 ta are multiplexed into protected contents, also containing 
attribute data provided by the control device 12. The attri- 
bute data are required to find the relevant parts inside the 



protected contents structure. The output of the multiplexer 
13 can be broadcast for example or stored on a suitable medi- 
um for later use. 

The system shown in fig. 2 may be adapted to handle 
5 one or more different secure device formats and for each of 
these formats the protection device 11 provides a secure de- 
vice applet. The main funtion of the secure device applet is 
to implement in the content player the protocol and format to 
communicate with the secure device connected to the content 
10 player- In this manner it is possible to provide an interface 
between the secure device and the content player without spe- 
cific knowledge beforehand of the protocol required by the 
specific secure device used. 

Preferably each secure device applet is authentica- 
15 ted, for example by a signature which shows that it origina- 
ted from a legitimate source. Suitable public key cryptograp- 
hic hashing functions can be used. 

Fig. 3 shows a system for decrypting encrypted data 
in a content player as shown/ comprising an input 14 for re- 
20 ceiving protected contents, a decryption device 15 and a con- 
trol device 16 including a demultiplexer 17, A secure device 
8 is connected to the control device 16, Further a decoder 18 
is shown for decoding decrypted data in a manner known per 
se, The decoder 18 is not part of the present invention. The 
25 attribute data is used in the control device 16 to demulti- 
plex the protected contents to retrieve a secure device ap- 
plet or applets, the secure device data and the encrypted 
contents and to forward rhe respective parts of the contents 
to the corresponding components of the content player. 
30 In order to decrypt the encrypted contents, the 

content player needs to retrieve the keys from the secure de- 
vice 8 - To this end the control device 12 determines the type 
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of secure device 8 connected to the content player and 
searches the attribute data to select the appropriate corres- 
ponding security device applet. The control device 16 inclu- 
des an applet loader 19 to verify the signature of the secure 
5 device applet. If the secure device applet is verified, this 
applet is downloaded in a virtual machine programmed into the 
control device and is executed in this environment to esta- 
blish a communication interface between the secure device 8 
and the content player and decryption device 15. Once the 
10 communication interface is established, the secure device ap- 
plet operates to fetch the secure device data from the pro- 
tected contents which is tranformed by the secure device 8 
into the keys required by the decryption device 15 to decrypt 
the encrypted contents • 
15 As noted, the applet loader 19 verifies whether the 

secure device applet is an authentic one* In this manner the 
applet loader restricts access to the virtual machine to tho- 
se applets originating from an authentic source, H standard 
method to achieve verifying of the secure device applet is 
20 authentication using a public key cryptographic hashing func- 
tion- Optionally, the applet may be encrypted using a conven- 
tional secret key cryptographic algorithm- The attribute data 
contains fields specifying both the type of cryptographic al- 
gorithm and secret key index to be used in the signature ve- 
25 rification process. 

In the virtual machine P the secure device applet 
uses a content player application program interface to commu- 
nicate with the content player on the one side and a security 
application program interface to communicate with the secure 
30 device 8 and the decryption device 15, 

The control device 12 is arranged to indicate in 
the attribute data the type of secure device 8 supported in 
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the content player* When the secure device 8 has been deter- 
mined/ for example by finding the unique identifier in a man- 
ner known per so, the secure device applet corresponding with 
the secure device by virtue of having a matching identifier 
5 is selected from the at tribute data. On the basis of this in- 
formation, the applet loader retrieves the secure device ap- 
plet from the protected contents. This process will generally 
be used in an application, wherein the protected contents is 
received in a continuous stream in case of a 

10 broadcasting environment for example. The same process can be 
used when the protected contents is stored on a tape or disc- 
In case of an broadcasting environment or wide area network, 
it is also possible for the applet loader 19 to request a 
service provider or the like to forward a secure device ap- 

15 plet corresponding to the detected type of secure device. 

It is observed that the security of the system de- 
scribed is at least as good as any existing security system. 
As the protected contents is always encrypted until it rea- 
ches the target content player, it is difficult to obtain a 

20 clear text version of the contents* Moreover the flexibility 
of the system described allows for defense and counter measu- 
res against presently existing attacking techniques, which 
counter measures are not available in existing protection 
systems • 

25 It is noted that the term "content player" should 

be understood as to mean any device mentioned above or even a 
separate decoder equipment having an interface for the secure 
device* Further it is noted that although wording is used in 
the above description suggesting separate devices in the sys- 

30 terns decribed, it will be clear that both the encrypting and 
decrypting system can be implemented by means of a micropro- 
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cessor and suitable peripheral circuits operating in the man- 
ner described as controlled by suitable software. 

The system described supports a wide range of ap- 
plications. As already mentioned, a first application area is 
5 a broadcasting environment* The content player in this case 
can be a set top box connected to a TV or a DVCR. The virtual 
machine can be implemented using JAVA. Generally an ISO 7816 
smart card is used as secure device. According to a favoura- 
ble embodiment/ it will also be possible for non-subscribers 
10 to buy a specific "event", such as a football match/ using a 
standard banking card, wherein the applet loader requests the 
service provider to download a suitable secure device applet. 
Other applications are pre-recorded media, such as CD, DVD, 
DVCR tapes and other cassettes. In the described system of 
15 the invention , the stored protected contents includes a num- 
ber of supported secure device applets, so that the applet 
loader of the control device can retrieve the secure device 
applet corresponding with the secure device used in the spe- 
cific content player. In this manner again backwards compati- 
20 bility is allowed, whereas future upgrades can be made in a 
flexible manner. 

The invention is not restricted to the above - 
described embodiments which can be varied in a number of ways 
within the scope of the following claims. 

25 
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CLAIMS 



1. System for providing encrypted data to be used 
in a content player , comprising an encryption device for en- 
crypting data using an encryption algorithm, a protection de- 
vice for providing secure device data, and for providing in- 
5 formation on a protocol for communication between the content 
player and a secure device, and a control device for provi- 
ding a protected contents containing the encrypted data, the 
secure device data, said protocol information and attribute 
data on the different parts inside the protected contents. 
10 2. System according to claim 1, wherein said pro- 

tection device provides at least one secure device applet 
containing said information on a protocol for communication. 

3. System for decrypting encrypted data in a con- 
tent player, comprising an input for receiving encrypted data 

15 containing encrypted contents, secure device data, informati- 
on on a protocol for communication between the content player 
and a secure device, and attribute data on the different 
parts inside the protected contents, a decryption device and 
a control device, wherein the control device is programmed to 

20 use said protocol information to establish a communication 
interface between the decryption device and a secure device 
used with the content player, wherein the decryption device 
is adapted to communicate with the secure device as control- 
led by the protocol information to obtain information regui- 

25 red to decrypt the encrypted data. 

4. System according to claim 3, wherein said pro- 
tocol information is provided as a secure device applet, whe- 



rein the control device is programmed to operate as a virtual 
machine to execute the secure device applet to establish said 
communication interface . 

5. System according to claim 3, wherein at least 
5 one secure device applet in the protected contents is authen- 
ticated, wherein the control device comprises an applet loa- 
der for verifying the authentication of a secure device ap- 
plet, wherein only a verified secure device applet is loaded 
into the virtual machine. 
10 6. System according to claim 5, wherein at least 

one secure device applet in the protected contents is encryp- 
ted, wherein the applet loader is adapred to decrypt an en- 
crypted secure device applet . 

7. System according to claim 4, 5 or 6, wherein 
15 the virtual machine comprises a content player application 

program interface and a security application program interfa- 
ce, the secure device applet communicating with the content 
player and the secure device by means of said interfaces - 

8. System according to anyone of claims 4-7, whe- 
20 rein the control device is arranged to determine the type of 

secure device used in the system, wherein the control device 
is arranged to retrieve a secure device applet from the pro- 
tected contents corresponding with the type of secure device, 

9. System according to anyone of claims 4-8, whe- 
25 rein the system is part of a content player connected to a 

network, wherein the control device is arranged to determine 
the type of secure device used in the system, and wherein the 
control device is arranged to request a corresponding secure 
device applet to be downloaded from a service provider. 
30 10. Method for providing a communication interface 

between a decryption device and a secure device in a content 
player, comprising receiving a protected contents containing 
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information on a protocol for communication between the con- 
tent player and a secure device, and attribute data on the 
different parts inside the protected contents, retrieving 
said protocol information from the protected contents to es- 
5 tablish a communication interface between the decryption de- 
vice and a secure device used with the contents player. 

11. Method according to claim 10, wherein said pro- 
tocol information is provided as a secure device applet, whe- 
rein the secure device applet is executed in a virtual machi- 

10 ne to establish the communication interface. 

12. Method according to claim 10 or 11, further 
comprising detecting the type of secure device used with the 
content player, and retrieving corresponding protocol infor- 
mation or a secure device applet from the protected contents, 

15 13- Method according to claim 10 or 11, further 

comprising detecting the type of secure device used with the 
content player, and requesting corresponding protocol infor- 
mation or a secure device applet from a source providing the 
protected contents. 

20 14- Method according to anyone of claims 10-13, 

wherein said protocol information or secure device applet is 
authenticated, further comprising verifying the authentica- 
tion, and using only verified protocol information or a veri- 
fied secure device applet to establish said communication in- 

25 terface. 

15. Method for transmitting or the like encryted 
data obtained by means of a system according to claim 1 or 2 - 
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A system for providing encrypted data to be used in 
a content player, comprises an encryption device for encryp- 
ting data using an encryption algorithm, a protection device 
for providing security device data, and for providing infor- 
5 mation on a protocol for communication between the content 
player and a secure device, and a control device for provi- 
ding a protected contents containing the encrypted data f the 
secure device data, said protocol information and attribute 
data on the different parts inside the protected contents. 
10 The encrypted data can be transmitted or stored on a suitable 
medium- A system for decrypting encrypted data in a content 
player, comprises an input for receiving encrypted data con- 
taining the encrypted contents, secure device data, informa- 
tion on a protocol for communication between the content 
15 player and a secure device, and attribute data on the diffe- 
rent parts inside the protected contents, a decryption device 
and a control device- The control device is programmed to use 
said protocol information to establish a communication inter- 
face between the decryption device and a secure device used 
20 with the contents player. The decryption device is adapted to 
communicate with the secure device as controlled by the pro- 
tocol information to obtain information required to decrypt 
the encrypted data. The communication interface between the 
decryption device and the secure is established by receiving 
25 the protected contents containing information on a protocol 
for communication between the content player and the secure 
device, and attribute data on the different parts inside the 
protected contents. The protocol information is retrieved 
from the protected contents to establish the communication 
30 interface, 
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